Our Take on California’s New Ballot Initiative

A year after his initial success with the California Consumer Protection Act (CCPA), Alastair Mactaggart is continuing to advance the privacy journey with a new California ballot initiative slated for the November 2020 election. The California Privacy Rights and Enforcement Act of 2020 seeks to continue the work started by CCPA by strengthening consumer protections and defining new requirements businesses need to follow.

Key Elements of the Ballot Include:

• Enhanced efforts to restrict access to information regarding children and teenagers. While the existing statute focuses on permission to sell that data, the new proposal would require a company obtain permission before collecting data from consumers younger than 16 – an “opt-in” provision. If the person is 13 or younger, the company would need approval from a parent or guardian to collect data.
• Requirements for technology companies to disclose information about the algorithms used to target consumers with specific advertisements.
• Creation of a new state agency to field privacy questions and complaints and enforce the privacy protections rather than leaving oversight to the California attorney general’s office.
• Tracking the time period a business intends to retain each category of a consumer’s personal or sensitive information, providing the business doesn’t retain information for each specific disclosed purpose for which it was collected for longer than is reasonably necessary.

Our Take: Change Is Inevitable

Privacy legislation is an ongoing journey that is going through a period of great change. CCPA brought new requirements for organizations to track the types of data they were processing and the types of vendors they were sharing it with and provide that information to consumers via Subject Rights Requests. When CCPA was penned, however, we knew that clarifications and changes would follow.

This new initiative underscores the importance of the privacy issue and is a step toward building an infrastructure that can provide expert, detailed guidance.

The Importance of Transparency

The new requirements further the goal of putting control of personal data in the hands of the people to whom it belongs.

Since the early days, modern privacy legislation has been crafted to implement controls directed at achieving our core human values. Privacy is a fundamental right that resonates with all humans. “The right to left alone” as it has been described demonstrates that humans want to be in control and choose how they interact with the world. This concept was penned by Louis Brandeis, a member of the supreme court, when describing core privacy values and challenges in a Harvard law review article he authored in 1890.

Technical advancements have fueled the pursuit of these rights over the past 40 years. All business transactions are now completed with the aid of computers and produce digital information which has become increasingly more personal and sensitive. This information – although about people – is not controlled by the people to whom the data refers. Additionally, this information has become an entity unto itself and contains valuable details on how we live, eat and function.

Flexibility Is Key

In creating these and other new requirements surrounding the processing of personal information the ballot authors will be forcing organizations to further improve their data management capabilities.

Granular tracking of data collection procedures, opt-in management, analytic operations, and data retention will require more details about the data to be captured, stored and understood. Serving up the right data to complete a Subject Rights Request will be an exercise of understanding the status and make-up of any particular piece of data quickly and accurately.

Privacy management platforms will have to be flexible and scalable enough to support these new requirements. Comprehensive inventory and classification solutions that enable organizations to understand and track sensitive customer data will be key to meeting current and future privacy regulations.